In an earlier post, I talked about “The Secret to Passing a HIPAA Audit.” And it came down to the Boy Scout motto: Be prepared.
Today I’d like to expand a bit on that and offer some info on specific areas of compliance the HIPAA auditors will be delving into. These areas aren’t a secret. In fact, auditors who’ll be knocking on doors of practices like yours will arrive with very clear guidelines from HHS as to what to look for and evaluate.
To help you be prepared for a possible audit, this blog will focus on those key areas.
The Big Three in a HIPAA Audit
Leon Rodriguez, Director of the Office of Civil Rights (the department in charge of HIPAA enforcement) from 2011 – 2014, said that the expanded HIPAA auditing program will place special emphasis on vulnerabilities that can change from year to year. That said, auditors’ investigations will continue to revolve around these three topics: Privacy, Security, and Breach Notification.
What I’d like to do next is give you some examples of the law – verbatim — from each of these areas, and follow that up with the procedure the auditor will likely use in each of those instances to determine whether or not an office is HIPAA compliant. Ready?
The HIPAA Privacy Rule says, in part, “A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies and is limited to the relevant requirements of such law.”
To evaluate how you’re doing in this area, an auditor will want to see and review your Notice of Privacy Practices, as well as your documented Policies and Procedures for disclosing protected information.
As an essential component of the HIPAA Security Rule, healthcare practices are required to “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”
The first inquiries an auditor will make here are: “Do you have policies and procedures in place for reviewing information-system activities?” And “Can I see them?” (Hint: The right answer to both questions would be “Yes.”) He or she will dig deeper to make sure those policies and procedures are comprehensive and up-to-date. And don’t be surprised if your auditor also asks for specifics on how your office conducts its reviews.
In regard to Breach Notifications, the law says, “A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used or disclosed as a result of such a breach.”
Since this is an issue that that has gotten a lot of press – the breach at Target, for instance — auditors are sure to ask whether or not your office has a process in place for notifying patients of a breach within the required time period. They’ll also want to see and review documents that outline that process.
The Boy Scouts were on to something
As you can see, being prepared takes, well, a lot of prep. But complying with HIPAA is worth the effort – not only in terms of taking the necessary steps to safeguard patient information, but also as a way to protect your practice from large fines and potential lawsuits.